swetik@eecs.wsu.edu (Paul Swetik) (02/26/91)
Having recently installed ISC (via Dell) NFS, I have not been able to backup files cleanly across the net. Is there a clean way to gain read permission for root on a client machine to backup NFS mounted 'read owner' files to the client tape drive? My fix is brute force, i.e., run a script to change permissions to 'read other' on the server during the backup, run the backup, then change the permissions back. This is an obvious security problem during the backup except that all our machines are trusted hosts. It has been suggested to add a switch to /etc/exports : / -r=0 monte #example line from my /etc/exports The -r=0 doesn't seem to have any effect. I can't be the *only* person who ever wanted to backup files to a remote tape drive. Thanks in advance.
cpcahil@virtech.uucp (Conor P. Cahill) (02/26/91)
swetik@eecs.wsu.edu (Paul Swetik) writes: >Having recently installed ISC (via Dell) NFS, I have not been able >to backup files cleanly across the net. Is there a clean way to >gain read permission for root on a client machine to backup NFS The problem is that root user's are mapped to "nobody" when they try to access files/directories on an NFS mounted partition. The fix is to set the value of nobody to zero (the value of the root id) and voila you get full root privileges. It should be noted that there are security reasons that root access is mapped to nobody, so changing this value may effect the security of your system. A while back I posted source to "kernmod" which allows you to change the "nobody" id in the kernel to be zero, so root users accessing exported file systems get root privileges. If you don't have it, let me know & I will send it to you. -- Conor P. Cahill (703)430-9247 Virtual Technologies, Inc. uunet!virtech!cpcahil 46030 Manekin Plaza, Suite 160 Sterling, VA 22170
les@chinet.chi.il.us (Leslie Mikesell) (03/01/91)
In article <1991Feb25.191542.29887@eecs.wsu.edu> swetik@eecs.wsu.edu (Paul Swetik) writes: >Having recently installed ISC (via Dell) NFS, I have not been able >to backup files cleanly across the net. Is there a clean way to >gain read permission for root on a client machine to backup NFS >mounted 'read owner' files to the client tape drive? If you have something resembling rsh or remsh (remote shell) you can use the "afio" program to generate the backup on the tapeless machine and write it to the other machine's tape drive (another copy of afio runs there under rsh to access the device). Afio was posted a few years ago to one of the source groups. GNU tar should be able to do something similar or you could do it yourself with cpio or tar piped to rsh running dd at the machine with the tape drive. The disadvantage of this approach is that you must make the backups separately per machine instead of slurping an entire network through the NFS mounts. The advantage is that it maintains the file system view as well as the security of the client machines. Les Mikesell les@chinet.chi.il.us
tim@dell.co.uk (Tim Wright) (03/04/91)
In <1991Feb28.204247.7270@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes: >In article <1991Feb25.191542.29887@eecs.wsu.edu> swetik@eecs.wsu.edu (Paul Swetik) writes: >>Having recently installed ISC (via Dell) NFS, I have not been able >>to backup files cleanly across the net. Is there a clean way to >>gain read permission for root on a client machine to backup NFS >>mounted 'read owner' files to the client tape drive? ... instructions to use rsh/remsh deleted ... >The disadvantage of this approach is that you must make the backups >separately per machine instead of slurping an entire network through >the NFS mounts. The advantage is that it maintains the file system >view as well as the security of the client machines. There is another serious advantage to this approach. Due to the behaviour of find, you will generate a lot less network traffic doing all the 'stat()s' on the machine to be backed up and just sending a "cpio stream" over the network. You don't need afio (though it is nice), just # rsh othermachine 'find / -print | cpio -ocB' | dd ibs=20b obs=64b of=mytape Tim -- Tim Wright, Dell Computer Corp., Bracknell | Domain: tim@dell.co.uk Berkshire, UK, RG12 1RW. Tel: +44-344-860456 | Uucp: ...!ukc!delluk!tim Nobody ever said I was charming before. They said, "Rimmer, you're a total git" - Red Dwarf, "Camille".